At Synopsys, we work with the community and organizations to understand what responsible open source usage means. As part of that process, we view our connection to the open source community as a key component to both understanding where the development community is and educating them on how to build better code. Earlier this year, we released the Open Source Security and Risk Analysis Report (OSSRA), which distilled data from over 1,000 customer audits performed by the Black Duck Audit Services team. Building on these results, we’re releasing the results of our Open Source 360⁰ survey.
The Open Source 360⁰ survey was sent to contributors, practitioners, and consumers of open source solutions. The goal of this survey was to identify key areas where open source software development is thriving, and identify risks and challenges as it continues to grow. The survey had over 800 respondents globally — spanning industries from financial services through manufacturing and retail to technology companies. Nearly 60% of respondents increased usage of open source code, following strong usage growth in 2016. A lack of vendor lock-in and the ability to customize the software were viewed as two of the key reasons respondents choose to use open source code.
Open source development has become the norm in modern organizations, in part because it offers an opportunity to increase development speed while reducing the monetary cost of the software. This reduction in monetary cost is offset by an increase in collaborative responsibility, which increases both security and compliance risks if not accounted for.
While I’d love to say that everyone recognizes that free software isn’t a risk-free proposition, that simply isn’t the case. At every event I’ve spoken at this year, at least one attendee admits to not knowing what open source components are present in their environment. Rephrasing this statement in security terms – at least one attendee at each event had no clear view of the attack surface in their environment.
Our survey respondents admitted to being concerned about open source vulnerabilities exposing both internal (64%) and external (71%) applications to exploits. Slightly over 50% of respondents used tools to scan for open source. A full 38% of respondents don’t review code for open source at all! When combined with the OSSRA report, many organizations consuming open source components have significant opportunities for risk mitigation while reaping the benefits of open source software. A key to reducing risk is using an automated tool to clearly identify open source in the codebase, a practice that unfortunately wasn’t common within survey respondents.
One way to significantly reduce open source risk is to become an active participant in key projects. While the survey found 66% of organizations supported active contribution to open source projects, only 24% dedicated full-time development resources to specific open source projects. I was happy to see that many respondents’ organizations encouraged active project participation by employees, and not surprised that 53% specifically encouraged contributions of bug fixes and small feature enhancements.
For many open source projects, community support via bug fixes are a key component to project vibrancy and thus success. Unlike commercial software where support agreements are created in return for license fees, the success of an open source project is a direct function of the activity level of its community. By encouraging participation in open source projects and sponsoring open source projects strategic to their business, many organizations are helping ensure continued success of the project and reducing associated risks. Why do our respondents participate in open source projects? The top four reasons were:
Open source is fundamental to the product delivery strategy for many respondents, making active participation in open source communities more important than ever.
All software is subject to some form of license. The license identifies any rights granted while also stating obligations the licensor expects you to follow. Open source software is no different, but developers have choice in the selection of license type — each with its own set of obligations. Often those obligations are transferred when the software is shipped or delivered to a third party, and fulfilling those obligations requires an understanding of what they are. 66% of our survey respondents are concerned with loss of intellectual property or other licensing risks.
39% of respondents indicated that they use an include list of acceptable open source licenses, yet only 37% provide internal access to open source licensing, security and version information. While having a corporate governance policy for license usage is a best practice, compliance with that policy requires an understanding of precisely which licenses are being used and by which components. Only 29% of respondents had an automated solution for inventorying open source in use and identifying policy violations and security risks at various points in the software development life cycle (SDLC), while only 15% strictly enforced their policies with automated controls.
We continue to see enormous growth in use of open source across all industries and in businesses of every size. Most organizations are using open source because it helps reduce development costs, deliver apps to market faster, and innovate. This survey shows how important it is that organizations develop a better understanding of their software composition and awareness of compliance security risks.
A detailed presentation of the complete Open Source 360° Survey results is available on the Synopsys website. Watch my webinar discussion of the survey findings (available on demand), and send your question to me at @timintech.
This year’s Open Source 360° Survey is the successor to the former Future of Open Source Survey, co-presented for many years by Synopsys and North Bridge.
Tim Mackey is a principal security strategist within the Synopsys CyRC (Cybersecurity Research Center). He joined Synopsys as part of the Black Duck Software acquisition where he worked to bring integrated security scanning technology to Red Hat OpenShift and the Kubernetes container orchestration platforms. As a security strategist, Tim applies his skills in distributed systems engineering, mission critical engineering, performance monitoring, large-scale data center operations, and global data privacy regulations to customer problems. He takes the lessons learned from those activities and delivers talks globally at well-known events such as RSA, Black Hat, Open Source Summit, KubeCon, OSCON, DevSecCon, DevOpsCon, Red Hat Summit, and Interop. Tim is also an O'Reilly Media published author and has been covered in publications around the globe including USA Today, Fortune, NBC News, CNN, Forbes, Dark Reading, TEISS, InfoSecurity Magazine, and The Straits Times. Follow Tim at @TimInTech on Twitter and at mackeytim on LinkedIn.